GDPR: What We Already Know (and Don’t)

by UserStoryMay 13th, 2025
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

This literature review surveys consumer and corporate research on GDPR awareness and DPA knowledge, uncovers contradictory findings, and proposes two hypotheses about what people really know.
featured image - GDPR: What We Already Know (and Don’t)
UserStory HackerNoon profile picture
0-item

Abstract and 1. Introduction

  1. Background to the GDPR

  2. Literature Review

    3.1 Consumer awareness and knowledge of the regulation

    3.2 Consumer awareness and knowledge of the regulator

    3.3 Consumer perceptions of privacy

    3.4 Business response to Data Protection regulation

    3.5 Employee awareness of their employer’s Data Protection regulator

    3.6 Employee perception of benefit of the GDPR to their employer

    3.7 The research goal is the consumer/employee perception of the GDPR

    3.8 Summary

  3. Methods

    4.1 Design

    4.2 Data Analysis and 4.3 Ethical considerations

  4. Analysis and Results

    5.1 Background demographics and 5.2 Hypothesis 1: Consumers are aware and knowledgeable about the GDPR

    5.3 Hypothesis 2: Consumers lack awareness and knowledge about the regulator

    5.4 Hypothesis 3: Consumers feel their privacy is better since GDPR was introduced

    5.5 Hypothesis 4: Companies have responded to GDPR and made changes

    5.6 Hypothesis 5: Employees lack awareness of the GDPR regulator at work

    5.7 Hypothesis 6: Employees have seen little benefits to their company from GDPR

    5.8 Research question: GDPR: Is it worth it? and 5.9 A regression model based on the dual professional-consumer perspective

  5. Discussion and 6.1 High consumer awareness and knowledge of the GDPR

    6.2 Respondents lacked a formed opinion and 6.3 GDPR has driven changes

    6.4 Perceptions of privacy have improved and 6.5 The profile of the regulator may not matter

    6.6 Regulator Enforcer and 6.7 GDPR is worth it if...

    6.8 Implications

    6.9 Limitations and future work

  6. Conclusion, Funding and Disclosure Statement, and References

A. Table of Survey Responses

B. Regression Analysis

C. Survey

3 LITERATURE REVIEW

Given the unique nature of our research target group, we review the literature from a consumer and business perspective—namely consumer awareness and knowledge of the GDPR and DPAs, consumer perceptions of privacy, the response of business to implementing the GDPR, the awareness of staff within the business of the measures required to operationalise it and their perception of its benefit to them and to their company. We find outstanding contradictions in prior works and blind spots that lead us to a series of research questions that we investigate further in our study as summarised in Section 3.8.

3.1 Consumer awareness and knowledge of the regulation

An informed citizenry is vital for a well-functioning democracy. The GDPR makes the awareness-raising duties of Data Protection Authorities (DPA) explicit. Under Article 57.1, the DPAs have an obligation to ‘promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing’. DPAs employ various activities to raise awareness, ranging from publishing press releases, penalty notices, educational materials and commentaries, to hosting public meetings and events. These activities are aimed at companies as much as at citizens [32].


The success of this awareness-raising challenge attracts wildly differing verdicts. On the low side, a private survey of over 289K consumers, coinciding with the first anniversary of the GDPR on May 2019, found ‘A staggering eight percent of consumers globally feel they have a better understanding of how companies use their data since the GDPR’s introduction’ [41].


On the high side, a Eurobarometer survey on the same May 2019 anniversary found 67% of respondents had heard of the GDPR, 36% had heard of it and knew what it was, almost 73% had heard of at least one right guaranteed by the GDPR and 31% had heard of all the rights asked about in the survey [21]. The level of awareness varied wildly between countries, from 90% in Sweden all the way to 44% in France.


A later secondary analysis of the same 2019 EU Eurobarometer survey showed education, occupation, and age were the strongest socio-demographic predictors of the GDPR awareness, with little influence of gender, subjective economic well-being, or locality size.


Sources of information also differ. In the 2020 ‘Data Protection or Data Frustration? Individual Perceptions and Attitudes towards the GDPR’, Strycharz et al. found most respondents learnt about the Regulation from the news (47%), followed by their employer (36%) and cookie notices on websites 2020.


Despite the contradictory results from prior surveys, we hypothesise the trend is positive.


Hypothesis 1: Consumers are aware and knowledgeable about the GDPR.

3.2 Consumer awareness and knowledge of the regulator

Conscious of their duty to promote public awareness, regulators conduct surveys, albeit their definitions and metrics vary wildly across the EU. Professional services firms and data rights groups also conduct and publish GDPR-related surveys. Academic surveys on regulator awareness are sparse.


An EU Eurobarometer survey [21] of 27,524 people across the 28 member states found 57% had heard about the existence of a public authority in their country responsible for protecting their rights regarding their personal data—an increase of 20% on a 2015 survey.


The Belgian DPA 2021 takes a different approach. In its 2020 annual report, it congratulates the increased awareness of citizens because ‘the year 2020 saw a sharp increase in the number of complaints (+290.64%) and data breach notifications (+25.09%) received by the BE DPA and, more generally, a significant increase in the DPA’s workload’.


The UK Information Commissioner’s (ICO) 2021 Annual Report 2021 contains an annual track survey of 2,000 people to measure its strategic performance in supporting the public. It found 28% of people have high trust and confidence (compared with 27% in 2020), with a similar number state they have low trust and confidence (29%, compared with 28% in 2020).


Awareness of the GDPR translates for some into awareness of the regulator’s punitive power. For example, the international law firm DLA Piper 2022 publishes an annual fine and data breach survey as part of their public relations strategy to communicate the need for proper advice on GDPR matters. Privacy advocates follow a similar path. AccessNow [19] is a digital rights group that publishes an annual evaluation of GDPR. In its most recent report ‘Three Years Under GDPR’, it focuses on the number and value of data fines and concludes ‘GDPR implementation is proving to be nothing but hot air’ due to a lack of enforcement.


In sum, apart from the EC’s four-yearly survey, regulators are not measuring their brand awareness. Instead they measure proxies such as customer confidence, consumer complaints or breach notifications whilst professional services firms and advocacy groups focus more on fines for their own reasons. Familiarity with the regulator among laypeople appears to be under or untested. We conjecture:


Hypothesis 2: Consumers lack awareness and knowledge of the regulator.


Authors:

(1) Gerard Buckley, University College London, UK (gerard.buckley.18@ucl.ac.uk);

(2) Tristan Caulfield, University College London, UK (t.caulfield@ucl.ac.uk);

(3) Ingolf Becker, University College London, UK (i.becker@ucl.ac.uk).


This paper is available on arxiv under CC BY 4.0 DEED license.


Trending Topics

blockchaincryptocurrencyhackernoon-top-storyprogrammingsoftware-developmenttechnologystartuphackernoon-booksBitcoinbooks